#62 new

xss into session_controller

Reported by preth00nker | August 7th, 2010 @ 05:35 PM

Hello, i'm a sucessful user of your software, i'm very happy about you development's work, so i really want to make a contribution with you, whatever, i found a "Cross site script" Vulnerability inside the restful-authentication plug-in (for rails) and i want to fix it, when a user doesn't login in a correct way an advice appear (Default: Couldn't log you in as 'user'), so, an evil request can be used for a malicious user for take advantage about it and i don't know, do some bad stuff, well, the error is between the 40-43 line, therefor, here's the error
40: def note_failed_signin
41: flash[:notice] = "Couldn't log you in as '#{params[:login]}'"
42: logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}"
43: end
in this instance we have 3 xss, the first comes in the line #41, where params[:login] can be used with something like '< h 1 >' so , when the user reflect the answer, he'll get a titled-text (in bold and, big font and stuff..), the second one comes in the 42 line (with the third bug) when the code <<#{params[:login]}' from #{request.remote_ip}>> is used by you (it for show the ip-address and login parameters), the bug is like the first one, well, for fix this issue we can use the function "h" wich prints the outcomes as html-encoded type in the client-side-browser.
i hope to be helpful and please mail me for any question!
sincerely Christian

File: session_controller.rb

No comments found

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Restful Authentication Generator

This widely-used plugin provides a foundation for securely managing user
* Login / logout
* Secure password handling
* Account activation by validating email
* Account approval / disabling by admin
* Rudimentary hooks for authorization and access control.


People watching this ticket